ISC-Squared Security Certifications

The International Information Systems Security Certification Consortium, Inc., known as (ISC)2, offers two security certifications. The first is the Certified Information Systems Security Professional (CISSP) program, a senior-level credential aimed at full-time security professionals and consultants. The second is the Systems Security Certified Professional (SSCP), a junior-level credential aimed at those whose system or network administration duties also include routine security matters. CISSPs analyze, design, implement, and verify security policies and procedures; SSCPs carry them out and perform related maintenance tasks. The CISSP program has been around since 1992 and is widely recognized and well respected; the SSCP program has been around since 1998 and is gaining recognition as a useful entry-level security certification.

Editor's Note: This article was updated with new information on August 8, 2003.

Like this article? We recommend

Like this article? We recommend

The full name for the organization responsible for two popular
security certifications—the Certified Information Systems Security
Professional (CISSP) and the Systems Security Certified Practitioner
(SSCP)—is the International Information Systems Security Certification
Consortium, Inc. (IISSCC). Everybody takes the easy way out and calls this
group (ISC)2 (pronounced "ISC-squared")—even the
organization itself, although the preferred representation takes the form (ISC)2.

Certification Capsules

The (ISC)2 includes representatives from numerous
security companies, academic institutions, government agencies, and
professional associations. Working groups composed of members created and
maintain the requirements for two vendor-neutral security certifications, as
follows:

Certified Information Systems Security Professional (CISSP). The (ISC)2's senior-level security certification, the CISSP, identifies individuals who can effectively design and develop information security policies, standards, and related practices and procedures. This certification also recognizes those who can additionally manage and maintain security policies and standards as well as operational security matters across an entire organization. (ISC)2 offers three CISSP concentrations: Information System Security Architecture Professional (ISSAP), Information System Security Management Professional(ISSMP), and Information System Security Engineering Professional(ISSEP). Because the CISSP certification has been around since 1992, it's the oldest such certification that we know about. It also boasts a certified population of about 15,000.

Systems Security
Certified Practitioner (SSCP). The other (ISC)2 security
certification is more entry-level. It identifies network and systems
administrators who can implement and manage the policies, standards, practices,
and procedures that CISSPs create and manage, on whatever hardware and software
is involved. Thus, the SSCP complements the CISSP as an operations
certification.

NOTE

(ISC)2 offers a program called the Associate of (ISC)2, which recognizes candidates who have passed the SSCP or CISSP exam and are in the process of gaining the required experience to become SSCP or CISSP certified. The Associate of (ISC)2 is not a certification but rather a stepping stone on the way to the SSCP or CISSP. According to the (ISC)2 Web site, Associate candidates benefit from obtaining "career-related support" through (ISC)2 early on in their professions.

About the CISSP Program

Becoming a CISSP requires that you pass one exam, but it's a
challenge: This exam consists of 250 multiple-choice questions pulled from 10
different security-related knowledge domains. That's why candidates are given
up to six hours to complete this exam. In fact, the CISSP is a senior-level
certification intended to identify individuals who are fully qualified to work
as security professionals full-time. In practice, working full-time in security
means filling one of two kinds of jobs:

A full-time job as a
security professional inside a corporation or organization big enough need its
own in-house security staff full-time.

A full- or part-time job
as a security consultant, either freelance or within a consulting organization,
in which a full-time security professional handles as many accounts as are
necessary to generate the right level of billing. Thus, such a job could fall
in any kind of organization, from a small, focused security professional
practice to a large, multinational consulting firm that offers security
consulting among its other professional services.

For serious, advanced security professionals, the knowledge domains
associated with the CISSP cover a lot of ground, but the exam sticks closely to
subjects and technologies intimately related to security matters. The 10
knowledge domains relevant to the CISSP include the following:

Access Control Systems and Methodology. This involves
planning, design, use, maintenance, and auditing of user and group accounts;
access controls; rights and permissions; and various authentication mechanisms.

Application and
Systems Development. This area involves understanding how security relates
to application development and data management, including technologies and
threats such as worms, viruses, Trojan horses, active content, and more. It
also encompasses working with databases and data warehouses, managing and
controlling data stores, working with systems development and security control
systems and architectures, managing system integrity levels, recognizing and
dealing with malicious code, and understanding common system and network
attacks.

Business Continuity
and Disaster Recovery Planning. This includes mastering common practices,
data requirements, and arrangements necessary to maintain business continuity
in the face of disruptions. It also involves planning, preparation, testing,
and maintenance of specific actions to prevent critical business processes and
activities from being adversely affected by failures and interruptions.

Operations Security.
In this area, topics include planning, design, implementation, and management
of system and network security, including basics of administrative management.
Also included are important concepts in security operations such as antivirus
management, backups, and need-to-know regimes; kinds and methods for applying
operational security controls; access control requirements; auditing needs,
methods, and reports; monitoring types, tools, and techniques; and intrusion
detection and penetration testing needs, methods, and tools.

Cryptography.
Candidates must understand basic cryptography and how it applies to
confidentiality, integrity, authentication, and nonrepudiation. In addition,
key areas include cryptographic concepts, methods, and practices, including
digital signatures; encryption/decryption and related algorithms; key
distribution, escrow, and recovery; error detection/correction; hashes,
digests, and ciphers; public and private key algorithms; public key
infrastructure (PKI); architectures for implementing cryptography; and
well-known cryptographic attacks and countermeasures.

Law, Investigation,
and Ethics. This requires a basic understanding of laws and regulations on
licensing, intellectual property, imports/exports, liability, and data flows
across borders relevant to system or network security or business operations.
This includes knowledge of computer crime laws and regulations, investigative
procedures, evidence gathering, incident handling, and ethical and conduct
issues.

Physical Security.
This involves understanding facilities requirements, controls, and
environmental and safety issues as well as understanding physical security
threats and elements of physical security such as threat prevention, detection,
and suppression; fire, water, and toxic material threats; and alarms and
responses.

Security Architecture
and Models. This includes basic principles of computer and network
architecture; common security model architectures and evaluation criteria; and
common security flaws and issues linked to specific architectures and designs.

Security Management
Practices. Basic concepts and principles include privacy, confidentiality,
availability, authorization, identification and authentication, and
accountability. Also included are change control and management, data
classification schemes (government and private), employment policies and
practices, and ways to work with procedural security for formulating policies,
guidelines, and procedures.

Telecommunications,
Network, and Internet Security. This area includes the ISO/OSI Network
Reference Model; communications and network security through topology,
protocols, services, APIs, and remote access; Internet/intranet/extranet
equipment and issues such as firewalls, routers, switches, proxies, and
gateways; TCP/IP and related protocols and services; and connection services.
Also included is a broad range of communications security techniques such as
tunneling, VPNs, NAT, and error detection and correction methods; security
practices for email, fax, and voice services; and common network attacks and
associated countermeasures.

CISSP candidates must agree to abide by the CISSP code of ethics,
submit an Endorsement Form signed by a CISSP, and, if selected, pass a
background and experience audit. Candidates must have four or more years of
experience in at least one of the 10 knowledge domains (or three years’ direct
experience along with a college degree or the equivalent life experience).

By virtue of its length and its broad coverage, the CISSP exam is
regarded as something of an ordeal. That's why we urge you to obtain and review
the CISSP Study Guide mentioned earlier in this article, especially the
reference materials cited therein. You might be interested to learn that the (ISC)2
calls the objectives based on its 10 CISSP information domains the Common Body
of Knowledge (CBK). That's why you might want to take an authorized CBK Review
Seminar to help prepare for this exam.

CISSPs can choose a concentration much like a college student chooses a "major" in a college degree program. Currently, (ISC)2 offers three concentrations: ISSAP (Architecture), ISSMP (Management), and ISSEP (Engineering). The ISSAP and ISSMP exams consist of 125 items; the ISSEP exam consists of 150 items. Candidates have up to 3 hours to complete each concentration exam. Visit https://www.isc2.org/cgi-bin/content.cgi?category=84#cat06 for details about the ISSAP, ISSMP, and ISSEP concentrations.

About the SSCP Program

Obtaining an SSCP also means passing one exam. The number of
questions is half that for the CISSP: 125 questions, with up to 3 hours to
complete it. The SSCP is an entry-level security certification that identifies
individuals who can integrate day-to-day security activities into full-time
jobs as system or network administrators. Although the descriptions for all
seven of the knowledge domains for the SSCP match those for the CISSP, an SSCP
candidate's knowledge need not be as deep or intimate as a CISSP candidate's.

The seven information domains for the SSCP are as follows:

Access Control. This involves using, applying, monitoring,
and maintaining access controls to determine what users can do, which resources
they may use, and the operations that they can perform on a system. This
includes familiarity with access controls such as biometrics, hardware
tokens/smart cards, and passwords, with an understanding of the levels of
confidentiality, integrity, and availability that each type allows.

Audit and Monitoring.
Included here are the topics of monitoring system activities and events, plus
auditing use and assignment of access controls and related system objects or
resources. This area also covers data collection, including logging, sampling,
and reporting; audit review and compliance checking; and legal issues related
to monitoring and auditing.

Cryptography.
Cryptography provides mechanisms to alter data to maintain its integrity,
confidentiality, and authenticity. Topics included are basic cryptography terms
and concepts; definitions, applications, and uses for public and private key
technologies; and the use of digital signatures.

Data Communications.
This area covers network structures, transmission methods, transport formats,
and protocol- and service-level measures used to maintain data integrity,
availability, authentication, and confidentiality. This includes issues related
to communications and network security for local and wide area networks; remote
access; roles that networking devices—such as routers, switches, firewalls,
proxies, and so on—play on the Internet, extranets, and intranets; security
aspects of TCP/IP protocols and services; and techniques for detecting and
preventing network attacks.

Malicious Code/Malware.
Malicious code means any software-based security threat that can compromise
access to, operation of, or contents of systems or networks, including viruses,
worms, Trojan horses, active content, and other threats. Candidates should
understand mobile and malicious code, be able to identify related threats,
explain how such code enter networks, and describe and apply appropriate
protection, repairs, and recovery methods.

The SSCP exam is relatively easy, when compared to the CISSP exam,
but it's no pushover. That why we urge you to obtain and review the online SSCP
Study Guide—especially the reference materials—cited earlier in this
article. Although the course covers all 10 CBK domains (and the SSCP covers
only 7 of those 10), you might want to investigate an authorized CBK Review
Seminar to help you prepare for this exam.

Like the CISSP, the SSCP certification lasts for three years. You
can recertify by taking 60 hours of continuing education during the interim or
by retaking the CISSP exam; see http://www.isc2.org/cgi-bin/content.cgi?page=46
for more information.